Home
The council and democracy
Democracy portal

Agenda item

Update Report to the ICT Shared Service for the London Boroughs of Brent, Lewisham and Southwark

This report provides an update on the performance of the Shared ICT Service.

 

Minutes:

Fabio Negro (Managing Director of Shared Service) introduced the report to the Joint Committee updating members on key performance areas in relation to the Shared Technology Service (STS):

 

Members noted the summary of key performance management indicators for the service across all three Council’s, which had been included within Appendix A of the update report.  In terms of detailed service performance, the Joint Committee were advised that since the last meeting in November 2022:

 

·             In terms of tickets logged with the STS these had totalled 41,100 between 1st March and 31st May 2023 for all council application teams as well as the shared service (an average of 13,700 tickets per month) against 52,987 in the last reporting period November 2022 to February 2023 (an average of 13,247 tickets per month). These tickets consisted of both incidents and service requests, with members noting the breakdown of tickets logged as detailed within section 3.10 of the report.

 

·             There had been 12 priority 1 STS infrastructure-related incidents within STS queues in the current 3-month reporting period (compared with 12 in the previous 4-month reporting period), 7 of which had been resolved within the Service Level Agreement (SLA). In addition, there had been 5 priority 1 incidents in this period caused by third-party issues and 1 priority one incident caused by user error.

 

·             Priority 2 (not including auto-generated network related calls) and Priority 3 issues within STS queues had seen an average of 52% and 71% compliance with the SLAs from March 2023 to May 2023 (against 55% and 60% reported for the previous reporting period).  A breakdown of the top seven categories for P2 and P3 calls had been provided within section 3.18 - 3.19 of the report.  Priority 4 service requests within STS queues for this reporting period had a 75% compliance with the SLA for March 2023 to May 2023 (compared with 72% for the previous reporting period).

 

·             In terms of open calls within STS operational queues, these stood at 2,300 which was slightly lower than at the end of the previous reporting period (November 2022 to February 2023).  Logged calls into STS queues were typically 350 - 400 per day, with demand for the telephone service around 2,400 calls per month. Face-to-face visits to on-site teams had totalled 3,279 across the three councils in the reporting period, representing an average of 1,093 visits per month.

 

·             The work undertaken to address the triage queue performance, which continued to be well maintained reflecting the efforts of the service design team to ensure relevant calls were being auto triaged to the appropriate target team queue using process flows within the Hornbill system.  Members were also advised of the efforts being made to develop and refine the Hornbill capabilities, which had been further expanded to include asset management modules and information along with new process flows to facilitate improved auto-triaging of logged incidents and requests into the appropriate target team call queue.  This had also enabled the analysis of data to a more detailed level, with improved call raise and closure categorisation.

 

·             Work had been completed to enhance Wi-Fi connectivity and capacity within Brent Civic Centre with work also in progress within key sites across Lewisham and Southwark to improve performance and capacity, reflecting the increase in demand as staff returned to the office on a more regular basis.

 

·             The upgrade to the Compute and Storage hardware platform had been completed, which was now running 99% of the compute workloads (in total, over 1,100 virtual servers).  This had also enabled the old hardware environment to be switched off leading to a considerable reduction in energy requirements and carbon emissions.

 

·             The benefits and ongoing security being provided through use of the Rubrik on-premises backup solution which had seen an on-premises backup job success rate of 98.42% during the reporting period.  In addition, STS were now using a managed Rubrik CloudVault storage solution to move away from having to manage its own Microsoft Azure storage.  This had removed a layer of administration and complexity and produced cost savings on cloud storage of backups.  Using Rubrik’s O365 Backup as a Service for M365 workloads, STS had also achieved a 99.98% backup compliance with those workloads of email, OneDrive, Teams data and SharePoint.

 

At this stage, comments were then invited from members on the Service Performance update with the following issues raised:

 

·             In terms of the impact of current performance in relation to calls logged under Priority 2, 3 and 4 on levels of compliance under the SLA members remained keen to explore how realistic the key performance indicators remained.  In response, members were advised of the ongoing review of performance targets and requirements within the Inter Authority Agreement with the next formal review scheduled for later in 2023 which would be designed to take account of the core delivery model and how the service was structed to enable delivery of performance targets in order to match agreed KPIs and the changing nature and complexity of demand.

 

Fabio Negro then moved on to provide an update on the progress made in relation to Cyber Security across the Shared Service.  In noting the update provided within sections 3.31 – 3.43 of the report, the Board were informed that there no serious cyber security issues had been logged during the latest monitoring period.  Work also continued with a third party recommended by the National Cyber Security Centre (NCSC) to proactively monitor the environment across all three boroughs.  Whilst two incidents had been reported by the STS security partner over the reporting period, on investigation none of these had been found to involve malicious activity.

 

In terms of specific updates, members noted:

 

·             The details provided on two additional recent cyber security supply chain issues experienced.  Whilst concerning, these had not impacted on data directly held by individual authorities although the Joint Committee were advised these had highlighted a growing risk around supply change management which had resulted in the audit review of Cyber (3rd Party) being moved forward to understand what further measures could be taken to ensure the council's supply chain was appropriately protecting the council's data.

 

·             In terms of Public Service Network (PSN) compliance, it was noted that Brent’s Remediation Action Plan was currently being reviewed by the Cabinet Office.  Lewisham was currently undergoing its IT Health Check reassessment with Southwark’s health check having been completed in February and the remediation elements now being completed.  The Joint Committee were also advised that Lewisham had recently conducted an IT Health Check, with the findings now being addressed and a similar Health Check of Brent's environment was due to commence in July 2023.

 

·             The ongoing work being undertaken by STS in conjunction with their mail filtering partner, to monitor and address potential malicious email activity, which remained a primary source of concern, with further detail set out within section 3.41 – 3.42 on the report.

 

·             The completion of the programme of work to update security controls and harden infrastructure across all three authorities, which had included the deployment of tools to aid both vulnerability management and patching across the server estate as well as work to develop and deploy Microsoft endpoint protection to the laptop estate in order to maintain a compliance baseline on all devices.

 

·             The work being undertaken by STS with third-party JumpSec and the London Office of Technology (LOTI) to conduct scans of internet-facing services, hosted by STS and third parties with issues identified as a result now having been resolved.  This had been subsidised by a LOTI contribution.

 

Comments were then invited from members on the Cyber Security update, with the following issues raised:

 

·             Whilst recognising the work being undertake to address and mitigate against cyber security risks, the Joint Committee felt it would be useful to review the evolving nature of the risks and threats being faced (including measure being taken to identify and address concerns relating to cyber security vulnerabilities within the supply chain) along with the mitigations in place to address them, which it was agreed to provided (as a separate exempt update) for a future meeting.

 

·             Whilst supportive of the efforts being made to address malicious email activity, further assurance was sought on the process used to filter emails in order to ensure those from legitimate sources were not blocked.  In response Fabio Negro outlined the way in which the filters worked to categorise emails and safeguard the system.  Whilst no specific concerns were raised by members regarding emails being blocked, the user friendliness of the Proofpoint filter system was highlighted as a potential area for further review.

 

In terms of other updates, the Joint Committee noted:

 

·             The ongoing progress being made in terms of the Continuous model of Service Improvement as detailed with sections 3.44 – 3.49 of the report and Technology Roadmap as detailed within section 3.56 – 3.60 of the report, including the implementation of a Technical Design Authority governance process for new projects and initiatives.  The Joint Committee also noted the introduction of a new product, designed to improve the current vulnerability patch management solution and reduce vulnerabilities around infrastructure in the cloud and on-premise.

 

·             The details provided on the Top 10 risks identified for STS and the relevant mitigations in place to address them, as detailed within section 3.50 of the report.  The Joint Committee welcomed the update provided but felt that moving forward those details relating to security risks should be considered as exempt information.  In terms of specific issues raised on the risks identified, further details were sought on the risk and mitigations relating to spend on Microsoft Azure packages, on which the Fabio Negro advised further details could be provided outside of the meeting.

 

·             The details provided on the STS related audits which had been undertaken across all three authorities during 2022/23 along with progress on delivery of the recommended actions identified and audit plan for 2023/24, as detailed within section 3.51 – 3.55 of the report.  It was noted that the final report on the Lewisham IT Asset Management Audit had now been produced, which had highlighted a number of actions for STS and the Council to resolve.  Of these six had been completed in advance of the final report being produced with a further three having been completed since and most of the remaining actions dependant on the implementation of a Hardware Asset Management system, due at the end-July which would also resolve four other outstanding actions in Brent.

 

·             The update in relation to progress with the transfer of Lewisham Homes to the Shared Service, as detailed within section 3.61 – 3.62 of the report, with members keen to ensure that the lessons learnt as part of the initial transfer were used to inform the main migration scheduled for October 23.  The new Lewisham Housing Management system had also been scheduled to go live in September, with Fabio Negro advising of the work being undertaken with the supplier to provide further assurance on delivery.

 

·             The project updates provided within section 3.64 – 3.69 of the report.  In terms of projects, 51 in-flight projects had been identified across Brent, Lewisham and Southwark representing a decrease of six since the last update.  Whilst noting the decrease, the projects underway included the ongoing update of Microsoft operating systems to ensure they remained in compliance and support, rollout of Microsoft 365 in Brent and Lewisham, upgrades to Wi-Fi (including further significant projects identified as part of the pipeline) and key network solutions along with the options appraisal process for renewal of the telephone and contact centre contract across all three boroughs.

 

·             The development of new capacity within STS to manage the starters, movers and leavers process, as detailed within section 3.70 – 3.71 of the report with the User Access Team having gone live in August 2022.  This process had included the completion of a Hackathon exercise within Lewisham, supported by Microsoft and Department for Housing, Levelling Up and Communities, which had been designed to focus on the way starters, movers and leavers were managed across the council involving HR, security and IT.  This had been recognised as a valuable process with a number of areas identified for review and further improvement and another session being set up to ensure momentum in terms of the lessons learnt.  As a result of the issues identified in relation to both the Hackathon and IT Asset Management Audit members felt it would be useful to receive a briefing providing an overview of the areas for improvement identified and actions being taken in response, including the process for managing equipment and licenses provided for staff as part of any “reasonable adjustments”.

 

·             The progress being made in relation to areas of continuous service improvement, as detailed within sections 3.72 – 3.75 of the report covering all aspects of the STS service including improvements to the Problem and Change management governance processes.

 

·             The updates provided in relation to key procurements being undertaken across STS, as detailed within section 3.76 – 3.84 of the report.  In view of complications experienced with final award of the mobile voice and data contract for Brent and Lewisham, the Joint Committee were advised that a new framework for the service had subsequently been put in place through the Crown Commercial Service Agreement with STS currently evaluating the market space for the best value-for-money solution and the aim to migrate or renew agreements towards the end of 2023.  In considering the procurement update provided, members were keen to explore the way in which social value commitments could also be secured through the procurement process, including the Crown Commercial Service Framework Agreement and each Council’s procurement arrangements, with the example provided of digital apprenticeship schemes, on which the Joint Committee requested a separate briefing.

 

·             The progress in terms of the update of the existing STS Strategy due for renewal in 2023.  The new 2023-25 Strategy had been drafted and would now be subject to review and comment by members of the Joint Committee, prior to a final version being presented to each Council.  As part of the update, clarification was requested by the Joint Committee on the governance arrangements needing to be followed across each borough on sign off on the final Strategy, which Fabio Negro advised he would seek to confirm.

 

·             The details provided in relation to the financial performance of STS as detailed within section 4 of the report, with a balanced position forecast for 2023/24.

 

As no further matters were raised, the Joint Committee completed their consideration of the update report.  The Chair thanked Fabio Negro for the updates provided and it was RESOLVED to note the update provided and actions being taken in relation to the ongoing performance and delivery of the Shared Service, as detailed within Section 3 and the Performance Pack (Appendix A) of the report, subject to the following additional actions identified:

 

·             A separate update to be provided for the next meeting on the review of cyber security risks, threats and mitigations in place to address the issues identified alongside an outline of the measures being taken to identify and address concerns relating to cyber vulnerabilities in the supply chain.

 

·             Details to be provided for members (outside of meeting) on the number of cyber incidents related to malicious emails and number of non-malicious emails prevented from getting through to their intended recipients by the filtering system.

 

·             Details to be provided for members (outside of the meeting) on any financial impact arising from the risk identified in relation to spend on Microsoft Azure services.

 

·             A separate briefing to be provided on lessons learnt from the recent Hackathon and Asset Management system audit undertaken in Lewisham regarding the process for managing starters, movers and leavers including the process for managing equipment and licenses provided for staff as part of any “reasonable adjustments”.

 

·             A separate briefing to be provided for the Joint Committee on the potential to generate social value commitments through STS procurements being conducted through the Crown Commercial Service Framework Agreement, such as mobile voice and data services.

 

·             Clarification to be obtained and provided on governance arrangements needing to be followed across each borough on sign off for the Inter Authority Agreement and STS Strategy.

Supporting documents:

 

Navigation